Re: [syslog-ng]syslog-ng mistreating data as part of the hostname ?
some more info. tracing the output of the SSR, the packet does not contain the hostname at the proper place but only the timestamp. So the output looks like (translated into ascii): <174>Jan 13 04:02:12 %ACL_LOG-I-DENY, ACL [280] on "rtfa" UDP 192.168.1.2:4721 -> 14.9.1.3:53 The format as described in rfc3164 is only required for relays, which the router is not, as it is the originator of the packet. In fact in the standard it reads: 4.2 Original syslog Packets Generated by a Device There are no set requirements on the contents of the syslog packet as it is originally sent from a device. It should be reiterated here that the payload of any IP packet destined to UDP port 514 MUST be considered to be a valid syslog message. It is, however, RECOMMENDED that the syslog packet have all of the parts described in Section 4.1 - PRI, HEADER and MSG - as this enhances readability by the recipient and eliminates the need for a relay to modify the message. Setting 'keep_hostname(yes)', the message will be displayed correctly but without the hostname (contrary to the normal linux syslog). I could not fiddle out a single set of options that would have given me the output of the standard syslog. Any hints what I can do besides calling an external Program ? Mit besten GrĂ¼ssen, Kind regards, Patrick Hildenbrand
Patrick Hildenbrand Operations & Technology SAP Hosting AG & Co. KG Raiffeisenring 45 68789 St. Leon-Rot, Germany T +49/6227/7-66410 F +49/6227/7-66301 E patrick.hildenbrand@sap.com http://www.saphosting.com
On Wed, Jan 16, 2002 at 05:14:11PM +0100, Hildenbrand, Patrick wrote:
some more info.
tracing the output of the SSR, the packet does not contain the hostname at the proper place but only the timestamp. So the output looks like (translated into ascii): <174>Jan 13 04:02:12 %ACL_LOG-I-DENY, ACL [280] on "rtfa" UDP 192.168.1.2:4721 -> 14.9.1.3:53
This is how Solaris and Digital Unix boxes send syslog packets too.
The format as described in rfc3164 is only required for relays, which the router is not, as it is the originator of the packet. In fact in the standard it reads: 4.2 Original syslog Packets Generated by a Device There are no set requirements on the contents of the syslog packet as it is originally sent from a device. It should be reiterated here that the payload of any IP packet destined to UDP port 514 MUST be considered to be a valid syslog message. It is, however, RECOMMENDED that the syslog packet have all of the parts described in Section 4.1 - PRI, HEADER and MSG - as this enhances readability by the recipient and eliminates the need for a relay to modify the message.
Setting 'keep_hostname(yes)', the message will be displayed correctly but without the hostname (contrary to the normal linux syslog). I could not
Linux syslog sends messages like this: <123>named[123]: another error from BIND, you should use djbdns It is up to the relay/collector to input the complete header.
fiddle out a single set of options that would have given me the output of the standard syslog. Any hints what I can do besides calling an external Program ?
I missed the beggining of this thread, is "%ACL_LOG-I-DENY" getting set as your hostname? I had the same problem with solaris logs when the "TAG" field had a space in it, so syslog-ng (correctly) thinks the first part of the process name (in the "TAG") was the hostname. I wrote a syslog proxy to overcome this, since I can't ask syslog-ng to stop following standards. Perhaps syslog-ng can have a configuration setting where if it receives a certain string in the hostname field, you can set keep-hostname to no for just that message. That would save the day for me, but I don't know how hard it would be to implement that. -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Fear leads to anger. Anger leads to hate. Hate leads to using Windows NT for mission-critical applications.
participants (2)
-
Hildenbrand, Patrick
-
Nate Campi